A stack-overflow in printf_common()

[ZFeiXQ]

Version:

version_103

System information

command:

./bin/wasm-ctor-eval POC4

POC4.zip

Result

1887835 segmentation fault  ./bin/wasm-ctor-eval 

GDB information

Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
RAX: 0xfbad8001 
RBX: 0x0 
RCX: 0x0 
RDX: 0x7fffff7ff490 --> 0x3000000020 (' ')
RSI: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu')
RDI: 0x7fffff7ff2e0 --> 0x7ffffbad8001 
RBP: 0x7fffff7ff2c0 --> 0x7fffff7ff460 --> 0x0 
RSP: 0x7fffff7fed50 
RIP: 0x7ffff6f16a01 (<__vfprintf_internal+33>:	mov    DWORD PTR [rbp-0x4c0],ecx)
R8 : 0x0 
R9 : 0x7fffff7ff3d0 --> 0x0 
R10: 0x7ffff6f2c180 (<___vsnprintf>:	endbr64)
R11: 0x7ffff7088be0 --> 0x555555800a40 --> 0x6201f248 
R12: 0x7fffff7ff2e0 --> 0x7ffffbad8001 
R13: 0x7ffff7df5092 --> 0x6d73617700756c25 ('%lu')
R14: 0x7fffff7ff490 --> 0x3000000020 (' ')
R15: 0x7fffff7ff490 --> 0x3000000020 (' ')
EFLAGS: 0x10206 (carry PARITY adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
   0x7ffff6f169f6 <__vfprintf_internal+22>:	mov    r12,rdi
   0x7ffff6f169f9 <__vfprintf_internal+25>:	push   rbx
   0x7ffff6f169fa <__vfprintf_internal+26>:	sub    rsp,0x548
=> 0x7ffff6f16a01 <__vfprintf_internal+33>:	mov    DWORD PTR [rbp-0x4c0],ecx
   0x7ffff6f16a07 <__vfprintf_internal+39>:	mov    rax,QWORD PTR fs:0x28
   0x7ffff6f16a10 <__vfprintf_internal+48>:	mov    QWORD PTR [rbp-0x38],rax
   0x7ffff6f16a14 <__vfprintf_internal+52>:	xor    eax,eax
   0x7ffff6f16a16 <__vfprintf_internal+54>:	mov    rax,QWORD PTR [rip+0x171453]        # 0x7ffff7087e70
[------------------------------------stack-------------------------------------]
Invalid $SP address: 0x7fffff7fed50
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289
1289	vfprintf-internal.c: No such file or directory.

gdb-peda$ bt 20
#0  0x00007ffff6f16a01 in __vfprintf_internal (s=s@entry=0x7fffff7ff2e0, format=format@entry=0x7ffff7df5092 "%lu", ap=ap@entry=0x7fffff7ff490, mode_flags=mode_flags@entry=0x0) at vfprintf-internal.c:1289
#1  0x00007ffff6f2c11a in __vsnprintf_internal (string=0x7fffff7ff460 "", maxlen=<optimized out>, format=0x7ffff7df5092 "%lu", args=0x7fffff7ff490, mode_flags=0x0) at vsnprintf.c:114
#2  0x000055555557737f in std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > __gnu_cxx::__to_xstring<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, char>(int (*)(char*, unsigned long, char const*, __va_list_tag*), unsigned long, char const*, ...) ()
#3  0x00007ffff7c00030 in wasm::WasmBinaryBuilder::getNextLabel() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#4  0x00007ffff7c0eeef in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#5  0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#6  0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#7  0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#8  0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#9  0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#10 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#11 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#12 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#13 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#14 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#15 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#16 0x00007ffff7c0ef20 in wasm::WasmBinaryBuilder::getBlockOrSingleton(wasm::Type) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#17 0x00007ffff7c08d57 in wasm::WasmBinaryBuilder::visitTryOrTryInBlock(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#18 0x00007ffff7c0a2c7 in wasm::WasmBinaryBuilder::readExpression(wasm::Expression*&) () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
#19 0x00007ffff7c0b13e in wasm::WasmBinaryBuilder::processExpressions() () from /home/zxq/CVE_testing/sourceproject/binaryen/bin/../lib/libbinaryen.so
(More stack frames follow...)
gdb-peda$ 

[kripken]

This looks like a stack overflow - there are many thousands of nested try-catches, and after 6625 or so it faults. Running in valgrind shows

Stack overflow in thread #1: can't grow stack to 0x1ffe801000

Increasing the stack size leads to a proper error,

[parse exception: attempted pop from empty stack / beyond block start boundary at 18824 (at 0:18824)]

I don't know much about stack overflow mitigations in native builds. Is there anything we should do here?

[rathann]

This was assigned CVE-2021-46050 by Red Hat. It looks like it's no longer reproducible in 121:

$ wasm-ctor-eval ./POC4 
[parse exception: invalid UTF-8 string (at 0:43344)]Fatal: error in parsing input

[rathann]

In 120, the output is different, but it doesn't crash, either:

$ wasm-ctor-eval ./POC4
[parse exception: control flow inputs are not supported yet (at 0:2631)]Fatal: error in parsing input

In 116, the output is different again, but it still doesn't crash:

$ wasm-ctor-eval ./POC4
[parse exception: attempted pop from empty stack / beyond block start boundary at 18824 (at 0:18824)]Fatal: error in parsing input

However, I get the above output even in 103, against which this bug was opened. It doesn't segfault for me at all. I tested Fedora build, though, which is compiled with some hardening flags, so that might be why.

[tlively]

Sounds like this would be fixed by the new non-recursive interpreter.